[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services
From: Joshua Mulliken <joshua@xxxxxxxxxxxx>
Date: Mon, 13 May 2019 18:19:31 +0000

===================
Title: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web 
Tailor and Banner Enterprise Identity Services
Author: Joshua Mulliken <joshua@xxxxxxxxxxxx>
Thanks to: Carnegie Mellon University CERT Coordination Center
Date Found: Dec. 17, 2018
Vendor: Ellucian Company L.P.
Vendor Homepage: https://www.ellucian.com
Products: Banner Web Tailor and Banner Enterprise Identity Services
Web Tailor Affected Versions: 8.8.3, 8.8.4, 8.9
Banner Enterprise Identity Services Affected Versions: 8.3, 8.3.1, 8.3.2, 8.4
CVE: CVE-2019-8978
===================

Table of Contents
=================
=-=-=-=-=-=-=-=-=
1 - Executive Summary
2 - Product
3 - Impact and Recommendations
  a - Impact
  b - Recommendations
4 - Technical Details
  a - Technical Description
  b - Exploit Code
5 - Disclosure Time-line
6 - References
=-=-=-=-=-=-=-=-=

1) Executive Summary
====================

An improper authentication vulnerability (CWE-287) was identified in Banner Web 
Tailor and Banner Enterprise Identity Services. This vulnerability is produced 
when SSO Manager is used as the authentication mechanism for Web Tailor, where 
this could lead to information disclosure and loss of data integrity for the 
impacted user(s). The vendor has verified the vulnerability and produced a 
patch that is now available. For more information see the postings on Ellucian 
Communities: [LINK NOT PROVIDED BEFORE DEADLINE] and Banner Enterprise Identity 
Services: [LINK NOT PROVIDED BEFORE DEADLINE]. [1]

2) Product
==========

Banner Web Tailor is a web tool, made for higher education institutions, that 
provides registration, curriculum management, advising, administration, and 
reporting functionality. Students are able to access and change their 
registration, graduation, and financial aid information. Professors and 
teachers are able to input final grades and manage their courses. 
Administrators are able to access and change student and teacher information. 
It is used by hundreds of institutions, many of which have opted to use the 
Single Sign-on Manager in order to participate in CAS- and SAML-based single 
sign-on services. [2]

3) Impact and Recommendations
=============================

a) Impact
---------

A user's unique identifier, UDCID, is leaked via a cookie and it could lead to 
account compromise if this identifier is captured or otherwise known, in the 
case tested the UDCID was known to be the institutional ID printed on ID cards. 
The UDCID could be used to exploit a race condition that would provide an 
attacker with unauthorized access. For a student, the attacker could drop them 
from their courses, reject financial aid, change their personal information, 
etc. For a professor, this could lead to an inability to manage their courses, 
allow a malicious student to put in false final grades, etc. For an 
administrator, an attacker could change users information, place false holds on 
student accounts, etc.

b) Recommendations
------------------

Organizations affected should update to the latest version. More information 
can be found in the postings on Ellucian Communities: [LINK NOT PROVIDED BEFORE 
DEADLINE] and Banner Enterprise Identity Services: [LINK NOT PROVIDED BEFORE 
DEADLINE]. Please utilize Ellucian Communities or contact Ellucian through 
ActionLine to get more information. Updates to this disclosure will be 
available on GitHub: https://github.com/JoshuaMulliken/CVE-2019-8978

4) Technical Details
====================

a) Technical Description
------------------------

The improper authentication vulnerability can be exploited through a race 
condition that occurs in Ellucian Banner Web Tailor, in conjunction with SSO 
Manager. This vulnerability allows remote attackers to steal a victim's session 
(and cause a denial of service) by repeatedly requesting the initial Banner Web 
Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in 
the case tested is the institutional ID. During a login attempt by a victim, 
the attacker can leverage the race condition and will be issued the SESSID that 
was meant for this victim. See proof of concept code located at the GitHub link 
below for more details.

b) Exploit Code
---------------

Exploit code will be made available later via Github: 
https://github.com/JoshuaMulliken/CVE-2019-8978

5) Disclosure Time-line
=======================

December 18, 2018: Attempted reporting through Ellucian's marketing web-form 
and sent to informationsecurityassessmentteam@xxxxxxxxxxxx
December 20, 2018: Submitted report to CERT Coordination Center at Carnegie 
Mellon University
January 2, 2019: Submitted report to a CISO at Ellucian who was discovered 
through LinkedIn
January 2, 2019: Requested information on responsible disclosure procedure from 
the University of South Carolina
January 3, 2019: Was told to report through ActionLine by Ellucian
January 4, 2019: Was told by the University of South Carolina that there is no 
procedure for reporting vulnerabilities
January 4, 2019: Told the University of South Carolina that I had discovered a 
vulnerability in Banner
February 18, 2019: CERT informed me of failure to reach the vendor and advised 
me to publicly disclose
February 25, 2019: Sent draft of advisory to Ellucian and set the date of 
disclosure to March 4th.
February 28, 2019: Ran demo of vulnerability for Ellucian over Zoom conference
March 1, 2019: Was asked by the University of South Carolina to delay 
publication
March 21, 2019: The University of South Carolina received a backported patch 
from Ellucian
March 26, 2019: Ellucian finalized patches for all versions
March 29, 2019: Was told by Ellucian that the University of South Carolina 
would be doing changes on the 1st of April
April 1, 2019: Requested information on patch status from the University of 
South Carolina
April 5, 2019: The University of South Carolina gave ETA of April 30, 2019
April 30, 2019: The University of South Carolina updated ETA to the middle of 
May
May 7, 2019: Set publication date of disclosure to May 13
May 10, 2019: The University of South Carolina posted a planned outage notice 
for all Banner Services scheduled for May 11
May 11, 2019: The University of South Carolina successfully installed the patch
May 13, 2019: Disclosure published

6) References
=============

[1] https://cwe.mitre.org/data/definitions/287.html
[2] https://www.ellucian.com/solutions/ellucian-banner-student

Prev by Date: APPLE-SA-2019-5-13-5 Safari 12.1.1
Next by Date: [SECURITY] [DSA 4443-1] samba security update
Previous by thread: APPLE-SA-2019-5-13-5 Safari 12.1.1
Next by thread: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services
Index(es):
- Date
- Thread